Does this .htaccess security setting really work?

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
1
down vote

favorite

What does this .htaccess do?

Am I correct in thinking that all it does is prevent automatic brute force attacks?

So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php

Am I correct?

Here's the .htaccess rule:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %REQUEST_METHOD POST
RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

htaccess

share|improve this question

asked 3 hours ago

henry

3721210

add a comment | 

up vote
1
down vote

favorite

What does this .htaccess do?

Am I correct in thinking that all it does is prevent automatic brute force attacks?

So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php

Am I correct?

Here's the .htaccess rule:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %REQUEST_METHOD POST
RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

htaccess

share|improve this question

asked 3 hours ago

henry

3721210

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

What does this .htaccess do?

Am I correct in thinking that all it does is prevent automatic brute force attacks?

So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php

Am I correct?

Here's the .htaccess rule:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %REQUEST_METHOD POST
RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

htaccess

share|improve this question

asked 3 hours ago

henry

3721210

What does this .htaccess do?

Am I correct in thinking that all it does is prevent automatic brute force attacks?

So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php

Am I correct?

Here's the .htaccess rule:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %REQUEST_METHOD POST
RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

htaccess

htaccess

share|improve this question

asked 3 hours ago

henry

3721210

share|improve this question

asked 3 hours ago

henry

3721210

share|improve this question

share|improve this question

asked 3 hours ago

henry

3721210

asked 3 hours ago

henry

3721210

asked 3 hours ago

henry

3721210

3721210

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
1
down vote

It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.

share|improve this answer

answered 1 hour ago

Jacob Peattie

13.1k41726

add a comment | 

up vote
1
down vote

You Are Partly Correct

Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.

Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.

You could go one step further if you have a static IP by using the following code:

RewriteEngine on 
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteCond %REMOTE_ADDR!^111.111.111.111$
RewriteRule ^(.*)$ - [R=403,L]

*Replace with your static IP address.

*Might not work if your site is behind a DNS service such as CloudFlare.

share|improve this answer

edited 1 hour ago

answered 1 hour ago

Invariant Change

23515

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "110"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f316646%2fdoes-this-htaccess-security-setting-really-work%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
1
down vote

It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.

share|improve this answer

answered 1 hour ago

Jacob Peattie

13.1k41726

add a comment | 

up vote
1
down vote

It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.

share|improve this answer

answered 1 hour ago

Jacob Peattie

13.1k41726

add a comment | 

up vote
1
down vote

up vote
1
down vote

It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.

share|improve this answer

answered 1 hour ago

Jacob Peattie

13.1k41726

It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.

share|improve this answer

answered 1 hour ago

Jacob Peattie

13.1k41726

share|improve this answer

share|improve this answer

answered 1 hour ago

Jacob Peattie

13.1k41726

answered 1 hour ago

Jacob Peattie

13.1k41726

answered 1 hour ago

Jacob Peattie

13.1k41726

13.1k41726

add a comment | 

add a comment | 

up vote
1
down vote

You Are Partly Correct

Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.

Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.

You could go one step further if you have a static IP by using the following code:

RewriteEngine on 
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteCond %REMOTE_ADDR!^111.111.111.111$
RewriteRule ^(.*)$ - [R=403,L]

*Replace with your static IP address.

*Might not work if your site is behind a DNS service such as CloudFlare.

share|improve this answer

edited 1 hour ago

answered 1 hour ago

Invariant Change

23515

add a comment | 

up vote
1
down vote

You Are Partly Correct

Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.

Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.

You could go one step further if you have a static IP by using the following code:

RewriteEngine on 
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteCond %REMOTE_ADDR!^111.111.111.111$
RewriteRule ^(.*)$ - [R=403,L]

*Replace with your static IP address.

*Might not work if your site is behind a DNS service such as CloudFlare.

share|improve this answer

edited 1 hour ago

answered 1 hour ago

Invariant Change

23515

add a comment | 

up vote
1
down vote

up vote
1
down vote

You Are Partly Correct

Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.

Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.

You could go one step further if you have a static IP by using the following code:

RewriteEngine on 
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteCond %REMOTE_ADDR!^111.111.111.111$
RewriteRule ^(.*)$ - [R=403,L]

*Replace with your static IP address.

*Might not work if your site is behind a DNS service such as CloudFlare.

share|improve this answer

edited 1 hour ago

answered 1 hour ago

Invariant Change

23515

You Are Partly Correct

Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.

Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.

You could go one step further if you have a static IP by using the following code:

RewriteEngine on 
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteCond %REMOTE_ADDR!^111.111.111.111$
RewriteRule ^(.*)$ - [R=403,L]

*Replace with your static IP address.

*Might not work if your site is behind a DNS service such as CloudFlare.

share|improve this answer

edited 1 hour ago

answered 1 hour ago

Invariant Change

23515

share|improve this answer

share|improve this answer

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

answered 1 hour ago

Invariant Change

23515

answered 1 hour ago

Invariant Change

23515

answered 1 hour ago

Invariant Change

23515

23515

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f316646%2fdoes-this-htaccess-security-setting-really-work%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email